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Abstract 

Composite Overwrapped Pressure Vessels (COPVs) are often used for storing pressurant gases on 
board spacecraft when mass saving is a prime requirement. Substantial weight savings can be achieved 
compared to all metallic pressure vessels. For example, on the space shuttle, replacement of all metallic 
pressure vessels with Kevlar COPVs resulted in a weight savings of about 30 percent. Mass critical space 
applications such as the Ares and Orion vehicles are currently being planned to use as many COPVs as 
possible in place of all-metallic pressure vessels to minimize the overall mass of the vehicle. Due to the 
fact that overwraps are subjected to sustained loads during long periods of a mission, stress rupture failure 
is a major concern. It is, therefore, important to ascertain the reliability of these vessels by analysis, since 
it is practically impossible to show by experimental testing the reliability of flight quality vessels. Also, it 
is a common practice to set aside flight quality vessels as “fleet leaders” in a test program where these 
vessels are subjected to slightly accelerated operating conditions so that they lead the actual flight vessels 
both in time and load. The intention of fleet leaders is to provide advanced warning if there is a serious 
design flaw in the vessels so that a major disaster in the flight vessels can be averted with advance 
warning. On the other hand, the accelerating conditions must be not so severe as to be prone to false 
alarms. The primary focus of the present paper is to provide an analytical basis for designing a viable fleet 
leader program for carbon COPVs. The analysis is based on a stress rupture behavior model incorporating 
Weibull statistics and power-law sensitivity of life to fiber stress level. 

Nomenclature 


Symbols 

F 

lifetime distribution function 

Pf 

probability of failure 

R 

reliability 

S 

stress ratio 

N 

number of vessels 

a 

fiber stress 

CJref 

fiber stress at burst pressure 

t 

time in hours 

u 

design life 

^ref 

characteristic time corresponding to a rcf 

P 

power-law coefficient for stress 

P 

lifetime shape parameter 

a 

Weibull shape parameter for fiber strength 

0 

power law exponent to represent damage level 
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Subscripts 

fl. Op, op fleet leaders, operational vessels and operating condition 
d, D, crit design, degraded and critical condition 

Introduction 

Composite Overwrapped Pressure Vessels (COPVs) are often used for storing pressurant gases 
onboard spacecraft. Kevlar, glass, carbon and other more recent fibers have all been used as overwraps. 
COPVs with metal liners are susceptible to many of the same failure modes as metallic pressure vessels, 
but additional considerations are required to ensure that the vessel has a reliable composite overwrap. Due 
to the fact that overwraps are subjected to sustained loads for an extended period during a mission, stress 
rupture failure is a major concern. Such failures can occur at loads that are much lower than the static 
strength of these vessels. A COPV that fails in stress rupture will burst suddenly without warning leading 
to catastrophic consequences such as loss of a vehicle and its crew. 

In order to assure safe and reliable operation of such vessels, it is often a requirement to show by 
appropriate analyses that the failure probability due to stress rupture is low enough (i.e., the reliability is 
high enough) to satisfy predetermined mission requirements. There are a number of models available in 
the literature that can be used to estimate the reliabilities of COPVs. However, the model parameters must 
be determined from available test data using accepted statistical techniques such as maximum likelihood 
or Bayes methods. For example, for Kevlar COPVs there exists a large database of stress rupture lifetime 
data that was generated primarily by Lawrence Livermore National Laboratory (LLNL), Cornell 
University and the NASA Johnson Space Center (JSC) and with Kevlar material characterization 
contributions from the Y12 Plant at Oak Ridge National Laboratory and Sandia National Laboratories. 
These tests have involved single fibers, fiber bundles (yams), resin impregnated strands (or tows), and 
laboratory scale COPVs loaded at a single constant stress level (Refs. 1 and 3 to 6) for times ranging from 
a few minutes to many years. Similar data for carbon vessels is largely lacking, thus forcing one to use 
other means of establishing stress-rupture lifetime, and mitigation procedures to reduce failure risk 
(Ref. 2). 

In the absence of sufficient quality stress-rupture lifetime data, an alternative approach often proposed 
to mitigate stress rupture risk is to establish a program of so-called “fleet leader” COPVs, that is subscale 
vessels that lead the fleet in terms of time or fiber stress level under load and possibly under higher 
temperature. Such approaches have been used in the past for both Kevlar and carbon fiber COPVs. For 
example flight quality sub-scale Kevlar COPVs were put in a test program at JSC at slightly higher fiber 
load level than the actual fleet on the Orbiter before the Space Shuttle missions started. The vessels had 
similar wrap patterns and the same material system for the wrap as the fleet vessels on Orbiter (though 
recent analysis has shown that the fleet leader fiber stress ratios were actually below those for the largest 
vessels in the Orbiter fleet). A few of the vessels were also put under more severe accelerated conditions 
by subjecting them to much higher operating temperatures. For the International Space Station (ISS) 
program, several carbon COPVs of different sizes were impact damaged prior to placing them in a fleet 
leader test program. The vessels were also pressurized to slightly higher loads than the operating loads of 
typical ISS COPVs. The program is still ongoing after more than 9 years, and so far no failures have 
occurred. 

A formal design/analysis procedure for setting up a fleet leader program is, however, not available. 
Thus the basis for setting up the number of vessels and the operating conditions for the fleet leaders has 
been largely ‘ad hoc’ and based on the particular bias of the program engineer. In the present paper a 
formal analytical procedure is developed, based on the classic reliability model (Refs. 1 and 7 to 10) for 
COPVs, by which means one can design the number of fleet leaders required and the accelerating 
operating conditions (pressure, time, temperature) necessary to meet the goals of a typical fleet leader 
program. Typically such goals are to provide legitimate advance warning when risk of failure is becoming 
unacceptable (due predictable material degradation but where model parameters imprecise, or due to 
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overlooked errors in the manufacturing process), but at the same time not have accelerating conditions 
severe enough to result in false alarms. 


Fleet Leader Concepts 

The main purpose of a fleet leader program is to address statistical uncertainty in forecasting the 
reliability of a COPV, which may have been designed and manufactured according to a particular 
reliability model to serve for some long design lifetime, tj. The key idea is to perform lifetime tests on 
several vessels that are either identical to or are accurate scale models of the vessel in service, and to use 
some failure rate accelerating condition such as a higher pressure, or a higher temperature or a faster time 
accumulation at constant load (which requires that the actual vessel in service lags the fleet leaders by 
spending much of its time unloaded). True fleet leaders correspond to the use of exact replicas and 
operating conditions of the service vessel but at a higher rate of usage. However, the term ‘fleet leader’ is 
also often used to describe scale models put under failure rate accelerating conditions, but this requires 
more sophistication in terms of a reliability model that can transform one scale and stress state to another. 

One role of fleet leader is to expose potential errors in design, quality control or manufacturing before 
they lead to the catastrophic failure in fleet itself. If true, the acceleration in loading conditions should be 
severe enough to produce failure of a fleet leader with high probability long before the end of design life; 
for example the fleet leader failure probability becomes >0.95. This would sound a so-called ‘true alarm’ 
that vessels in service appear to have reliabilities for their intended lifetimes that are far less than 
originally calculated by the model, which means that some life-shortening factor was overlooked, such as 
use of a set of poor quality spools, or pre-preg whose shelf-life had long expired. (For instance the true 
vessel reliability is now only 0.995 rather than the 0.999999 or six nines it was originally designed to 
meet). 

On the other hand, if no such design or manufacturing errors have occurred (beyond the well 
characterized material variability and design tolerances), then the accelerating condition should be 
moderate enough that the probability of failure of a fleet leader over the lifetime is appropriately low (say 
<0.01 or one-in-a-hundred) since such a failure would become a ‘false alarm’ that would initiate a time- 
consuming, expensive and inconclusive investigation. Note that in the actual flight vessel application, the 
required reliability over the service life may be several nines (e.g., 0.99999 or Pf= 0.00001). Thus the 
fleet leader is screening for unanticipated errors in design or manufacturing in a context where the 
probability of failure in service is designed to be small to begin with. 

A fundamental point is that the degraded reliability level (or future reliability) implied by the failure 
of a fleet leader and the time of occurrence is a key consideration in setting the load or temperature 
parameters of the failure rate acceleration. For instance, the original design may have called for 0.999999 
or six nines reliability, but once put into service, serious corrective action may not become mandatory 
until the reliability degrades to below 0.999 or three nines. The reason for such a double standard is that 
repair or replacement may itself pose risks that must be taken into account, as well as expenditure of 
resources that might better be spent on eliminating the sources of error or uncertainty in future 
replacement vessels that originally led to the degraded performance. Such decision aspects must be taken 
into account in the initial design of the fleet leader program and the setting of the acceleration factors; 
they should not be deferred until after a fleet leader has failed since the decision process will be ‘ad hoc’, 
and thus, much less likely to be objective. Conversely if the parameters of the fleet leader program are not 
properly set, then whether fleet leaders fail or not will have little meaning in terms of the future reliability 
of the vessels in service. 

In order to design a service vessel to a high reliability standard one must have a robust reliability 
model in terms of service pressure, various design factors and stochastic material properties. This model 
should also form the basis for determining failure acceleration factors corresponding to desired low 
probability thresholds for false alarms. If the model is (1) known from long experience to accurately 
reflect the probability of failure of the service COPV for all relevant lifetimes, and (2) all the parameter 
values of the model are accurately known based on an extensive material database, then the fleet leaders 
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serve mainly as confirmation of this fact, i.e., they provide some comfort in terms of a safety margin. In 
more technical terms, for these conditions to be true requires that all the uncertainty be “aleatory” 
(naturally occurring variability that is irreducible) (Refs. 1 1 and 12), so that the probability of failure 
calculations are straightforward for a given pressure level and one only needs to design to the correct 
service pressure to get the required reliability. 

The more frequent and troublesome situation, however, is where various uncertainties exist in the 
vessel design and fabrication, and particularly in the properties of the overwrap materials, mainly because 
of lack of sufficient supporting data and the wide variety of possible material combinations as well as 
processing and fabrication errors that are possible. For instance, one may have very good information on 
how such overwrap materials behave in general, but be unclear about the behavior of this particular brand 
of overwrap fiber or manufacturing lot since the factory may be newly built and has an inexperienced 
technical staff, or it is a new relatively untested version of fiber. All this may be reflected primarily in 
uncertainties in the true values of the overall model parameters, which if significantly different from those 
assumed in the vessel design, could significantly compromise the reliability. In technical terms, this 
means there is considerable “epistemic” (uncertainty due to lack of knowledge or proper models or Data 
etc.) uncertainty (Refs. 1 1 and 12) to add to the previously mentioned aleatory uncertainty, making 
reliability predictions at a high level of confidence problematic. 


Fleet Leader Program Modeling Details 

Stress rupture life prediction can be accomplished using the so-called classic model as originally 
pioneered by Coleman (Ref. 7) and further developed by Phoenix and colleagues (Refs. 5, 6, and 8 to 10) 
over the past 27 years. More recently this model has undergone a thorough review during two 
independent technical reviews and assessments sponsored by the NASA NESC (NASA Engineering 
Safety Center) (Refs. 1 and 2). The model is based on a Weibull distribution framework for strength and 
lifetime with the embodiment of a power law to describe damage in a composite versus stress level. 
Derivation of the model is available in References (Refs. 7 and 8) where the power-law in stress level 
(with temperature dependence) is derived from thermally activated chain scission using a Morse potential 
as a model (Ref. 8). In the simplest setting of constant stress applied quickly and maintained over a long 
time period, the basic equation for the model is 


^0>tf o/ ,) = l-exp 




Vref 



J 


(i) 


where F(t, o) represents the probability of failure at time t. In the above equation the quantity (Oop/o re f) is 
the ratio of fiber stress at operating pressure to fiber stress at burst pressure (stress ratio), t is time, / rcf is a 
reference time, p is the power law exponent, and P is the Weibull shape parameter for lifetime. The value 
for o re f is determined from the flight COPV burst tests and stress analysis of the COPV. The model is 
shown for a single stress level over time, but for more general time histories a memory integral is used to 
accumulate damage (similar to Miner’s rule for fatigue) at different stress levels. 

In order to address issues specific to carbon fibers, an alternative model has also been proposed and 
developed exclusively to address carbon overwrapped vessels which are more common and fast replacing 
the Kevlar overwrapped vessels. The model is known as the ‘fiber breakage model’ the details of which 
are described in (Refs. 2 and 13). As this model is more complicated, it was decided to use the simple 
classic model to develop the analytical framework and illustrate the concepts for fleet leader design. The 
principles however are equally applicable to the fiber breakage model as well. 
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Stress Rupture Life Distribution Model 

To define a successful fleet leader program one must determine, the number of vessels, Nji, the stress 
ratio at which fleet leaders must be in operation, Sji, and the probability of failure of a fleet leader due to 
the inherent and well-characterized natural variability (which would produce a false alarm). The classic 
model for the stress rupture lifetime distribution can be used to construct an analytical framework for 
designing a fleet leader program. As mentioned before, the probability of failure of a single fleet leader 
vessel up to time t>0 is well modeled by the lifetime distribution function given in Equation (1) and 
rewritten as 


F, ( t; a,a ref , f re f ,P ,P ) = 1 “ exp j - 

'l L 




V CT ref J 




^ref Jj |j 


K *>o 


( 2 ) 


where the parameters are defined as follows 

o re f is a reference stress taken as the observed fiber strength at burst at some prescribed loading 

rate, or more precisely, the Weibull scale parameter of the ‘delivered’ fiber strength at burst for 
a single vessel; 

t re f is a characteristic time corresponding to o re f (i.e., the projected Weibull scale parameter for 
lifetime at the fiber stress o = o re f); 

p is the power-law exponent relating lifetime to stress level (i.e., t x rf 9 whereby log o versus log 
t plots as a straight line with slope -1/p); 

P is the Weibull scale parameter observed for life times, which can be measured from stress 
rupture tests. 

Note that in a burst test, the Weibull shape parameter for fiber stress at burst can be shown to be a;Pp, so 
there is dependency among the parameters. Likewise o re f and t K f are related and depend on the pressure 
rate used in the burst tests. This version of the model does not assume previous survival of a proof test of 
any kind, though the same principles apply with the appropriate conditional lifetime distribution. 

We assume that N op vessels are to be placed in service at operating pressure p op which produces fiber 
stress Oop and fiber stress ratio 


S op=°op/° ref ( 3 ) 

We also assume there are Np fleet leaders to be put in test under controlled but accelerating conditions at 
fleet leader pressure (to be determined), which produces fiber stress and fiber stress ratio 

S Jl =G fl / G ref ( 4 ) 

(In this paper we shall only consider increased pressure or stress ratio as an accelerating condition.) 
Uncertainties in the vessel design and fabrication techniques, and in the overwrap materials are reflected 
primarily in uncertainties in the true values of the model parameters o ref , t ref , p, and (3 in that some values 
might be degraded to varying degrees, in which case the reliability calculation assumed in the initial 
design is much too optimistic. 


NASA/TM— 2009-21 5685 


5 



The two scenarios described in the beginning are formalized as follows: 

(1) If the service time on the N op vessels is intermittent, i.e., only a few days per year at operating 
pressure, /7op, and the remaining time is spent at greatly reduced pressure with respect to stress-rupture, 
then the Njj fleet leader vessels may be pressurized to a pressure pji giving the same fiber stress ratio S op as 
in the service vessels (though if the vessels are not identical in design but are scale models, it may be that 
Of * a op due to Weibull size effect adjustments). This is the situation that applies to the Orbiter fleet 
leaders at ambient conditions, and the idea is that whatever the model parameter values, a fleet leader has 
a high probability of failure well in advance of failure of a service vessel due to much more rapid time 
accumulation. Note that true fleet leaders are identical vessels. 

(2) If the service time in the N op vessels is continuous, then the Nji fleet leaders must be placed 
under accelerating conditions, for instance under a higher pressure giving a higher fiber stress oji>a op and 
higher fiber stress ratio 


S fi >S op (5) 

Here, the idea is that if the fiber stress ratios in the fleet leaders are high enough (but not too high), then a 
error in the materials quality control or design will result in model parameter values sufficiently different 
from those assumed in the design that the probability of failure of at least one fleet leader will be high and 
much higher that for the vessels in service despite their having material parameter values inferior to those 
that had been assumed in the original design. 

To simplify matters and illustrate the key concepts we focus on the situation (2). 

Fleet Leader Design Approach 

The general parameter set is given by 


P> ° re f> W» P> a = PP 


( 6 ) 


and we will consider two versions, the parameter values used in design, subscripted by ‘ d ’ and the 
degraded parameter set subscripted by ‘D\ Then we will have 

Pd’ W’ P d’ a d =PdPd (design set) 

Pd> *ref,D’ Pd’ “d =PdPd (degraded set) 


( 7 ) 

( 8 ) 


In Equation (8) we have a set of degraded model parameters that will cause reduced reliability due to 
either design errors or inferior materials in terms of variability or breakdown rate not screened out during 
quality control testing. For simplicity, we have not added a subscript to o re f since this is usually 
determined in prototype burst testing and so forms the basis of the fiber stress ratios whether the 
properties are actually degraded or not. 

First we derive some basic relationships in terms of the design parameters of the model. For a given 
reliability, R d = i -Pm, with respect to survival of N op vessels over the full design lifetime, t d , we first find 
the operating stress ratio, S op , that will provide this reliability. For this we must solve 

{ { d 5 S d a Tef , CT ref , t refd , Pd , P</ ) = 1 ~R d (9) 
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With the aid of Equation (2), and noting that ad = $dPd, we obtain 



u t* 


v ^rcf,d J 


= -ln R d 


( 10 ) 


or 




Probability of a False Alarm 

A ‘‘false alarm ” signifies that one of the fleet leaders failed due to natural causes. Suppose we wish 
to place Nfl fleet leaders on test. It is first necessary to decided on an acceptable false alarm probability of 
failure, Pf a i se alarm, assuming that the design and materials exactly follow the parameter set, Equation (7), 
we assumed above. A reasonable choice might be P fa i sc alarm = 0.01, that is, one-in-a-hundred chance of a 
false alarm. This choice must balance such things as the cost of a false alarm in terms of triggered 
investigations and the likelihood a legitimate true alarm will be heeded if the vessels do in fact have 
degraded properties. On the other hand, if the value is set too low, the sensitivity of the fleet leaders in 
detecting truly degraded vessels is lowered. 

Then to determine the operating stress ratio Sji for the fleet leaders, the following equation must be 
solved: 





,P* 




n ^ p ^ i 




( 11 ) 


Resulting in 


*S/7 CT ref’ CT ref, W,d’ Pd’ Pd’ ^op )~^ f 


false alarm 



( 'f 

(s Y*' 

*d 


fref ,d j 


^false alarm ) 


which gives 


s fl= 


^false alarm ) 
, N Jl{ t d/ t ref,d) 


\V“<J 


\V a d 


1 false alarm 


Nfl Aref,i/ ) 


0 < ^false alarm « 1 


( 12 ) 


(13) 


(14) 


Reliability of Sounding a True Alarm 

A “true alarm ” signifies that one of the fleet leaders failed due to serious problems in design, or 
material quality control. Once the operating stress ratio for fleet leaders is established, we must consider 
the probability of sounding a true alarm, P truc a i arrn , if indeed the degraded parameter set, Equation (8), best 


NASA/TM— 2009-21 5685 


7 



characterizes the vessels thus reflecting a serious problem in the design or materials quality control. The 
probability of failure of a fleet leader under the degraded set of parameters is given by 


F N fl ^ref J CT ref^ref,D’PD’Po’ 7V /) = 1_eX P )~ N ft 

K 


M D 




V ^ref ,D Jj 


r 


( N 

i 

r y* D 

t 

{*fl) 

^ref ,D j 


l t> o 


and thus the probability of a true alarm is 


P true alarm = 1 “ exp ~N fi (S fl )' 

ll 


( , ^ 


^ref ,D J 




(15) 


(16) 


The probability of a true alarm depends on the values of the degraded parameters relative to the 
original ones, but the problem can be viewed inversely in terms of the desired probabilities of sounding 
true alarms, avoiding false alarms and prescribing the level of reduced reliability to be associated with the 
degraded parameter values. From previous Equations (14) and (16) we have 


Sfl = 


^false alarm ) 
^fl{ t d/ t ref,d) 


\V a d 


~^true alarm ) 

Nfl^d/tre f,£>) 


\V“d 


(17) 


or 


(-ln(l-P ft]sealarm ))^ * -(t d /t ref j) P^Po ( ^ref ,D /^ref >7 )“ rf “ D “ -^true alarm )) ^ 


or 


-ln(l-P t 


true alarm 





-p. 


false alarm 



However, 0 < P false ^ « 1 so that -ln(l ^false alarm ) ~ pfalse alarm thus 


, \1 - M 

^true alarm “i-expl-f^j 




iPd 


\ l ref,d J 


Pd 




^ref,D J 


( pfalse alarm ) 


a D /a d 


'J 


Similarly we can calculate the degraded reliability, R D of the service vessel and this is 


(18) 
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( 19 ) 


/ u-M 

-ln(i? fl )*(^) a d 




V‘i*ef,</ J 


Prf 


"|Pd 
\. I 




V^ef,D J. 




a D /a d 


Since P/j = 1 -R d and both 0 <Pf D « 1 and 0 <Pf D « 1 , i.e., they are small compared to one, then we have 
-ln(R D yaPf D and In (RJ^Pf j so that 




op 




y l tef,d J 


Pd 


~|Pd 


l ref ,d 


V/ref,D \ 




a D /cL d 




Taking logarithms of both sides we have 


In 


f p \ 

fJjD 

N 

V > J 


~3d 


P D 
Pd 


r . \ 


In 


k ^ref , d ) 


+ ln 


(t M 

l ref,d 1 

Jref.D Jj 


r \ 


a 


D 


K a d J 


In 


f p \ 

j jjd 

K N °p > 


( 20 ) 


( 21 ) 


Critical Threshold of Degraded Reliability for Launching Corrective Action 

To design a fleet leader program we must specify a critical threshold value of Pfp below which the 
reliability cannot go without triggering corrective action. This can be defined in various ways, but a 
convenient way is to define 


( 22 ) 

where 0< 0 n <1 is an exponent. Then we can consider a special family of ‘critical damage’ parameter 

^crit 

values of the model subscripted as ‘D crit ’, which, as a group, define threshold values 

Po.*’ W>cn,’ Pa*,’ “Am "PAmPAm (23) 

Equations (21) to (23) can be combined to arrive at the following relation for critical set of damaged 
parameters 


'An 


x p An« 


Pd 


r . a 


In 


V'ref ,d J 


+ ln 


l ref,d ^ 

Jj 


+ 


a 


An 


— 0 


V a d 


An 


In 


f p \ 

J >d 


K N °p J 


(24) 


Then a worse than critical damage set would need to satisfy 


Pd 


l_Po 

Pd . 


f . \ 


In 


\}re£4 ) 


+ ln 


l ref,d 


ll 


V W,D Jj 


^-0 

V a d 


D„ 


In 


r f,d 

V N o P J 


< 0 


(25) 
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This analysis reveals that the parameters can combine in various ways to cause the same critical 
reliability state. Furthermore we can see that success of the fleet leader program in terms of having the 
capability to detect a true alarm without a false alarm also depends on the same parameters. Thus we have 


^true alarm ~ ^ exp j Njj 


H 




V'ref ,d ) 


P D 
Vd 


"|P£> 


*ref 4 
V/ref,D \ 


\ a o/“i 


r false alarm 


N 


fl 


(26) 


and the probability of sounding true alarm will depend on the threshold value for the probability of a false 
alarm. 


Case Studies and Examples 

We now focus on some examples to illustrate several points. 

Case 1 : Kevlar 49/Epoxy Fleet Leaders 

Suppose four Kevlar 49 overwrapped vessels are to be put in service, which must have a design life of 
10 years, (tj = 87,600 hr) at a reliability level of Rj = 0.999999 (six nines) or failure probability, Pf4 = 
0.000001 . We assume that the critical reliability for corrective action due to discovered damage or 
degraded parameter values is 0.999 or the probability of failure, Pro = 0.001 . Thus 0 D . =1/2 since 

crit 

P/,d = \jPf,d • We further assume that the original design parameters were 

P d =24, t ref4 =1.3 hr, p d =1.67, a d =40 (27) 


The parameters chosen are typical for Kevlar flight quality vessels that are currently being used to 
computer reliability of orbiter COPVs. With the aid of Equations (2) and (14) one calculates the fiber 
stress ratio S op to be 0.4299. Finally, suppose we place Njj = 10 fleet leaders on test and choose FW alarm = 
0.01 ; That is, we set the probability to be 1/100 that at least one of the 10 fleet leaders fails when 
governed by the original design parameters. The required fleet leader stress ratio can be calculated using 
Equation (14) as S/j= 0.529. 

In order for the fleet leaders to be useful, however, they must be capable of detecting a problem with 
the design and fabrication of the service vessel whereby the actual parameter values are degraded relative 
to those assumed in the design. For instance, we suppose that a key manufacturing process in the fiber or 
overwrap was mishandled and the true parameter values are instead 


Pd -19, t ie f D — 0.95 hr, P 0 — 1.79, (t D — 34 


and again N op = 4. Then using Equation (20) we calculate, 


Pf,D* 4 


87600 

1.3 




-| 1.79 


f 1.3 N 


v0.95 j\ 


0.000001 


\ 34/40 


= 0.0011 


(28) 


(29) 
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meaning the reliability under the degraded set of parameters values is R D = 0.9989. 

The probability of at least one fleet leader failing, and thus sounding a true alarm, can be calculated 
for this degraded set of parameters using Equation (26) as 


(30) 

= 0.956 

Viewed another way, the probability the set of fleet leaders fails to sound a true alarm when they 
should (i.e., they all survive) is 0.044 or about 1/23. If one wishes to improve the probability of a true 
alarm then one might raise the probability of a false alarm to /\i sc alarm = 0.015 = 1/67. Then a repeat of 
the above calculation gives iVe alarm = 0.988, or failure to sound a true alarm now of (1-0.988) = 0.012 = 
1/83. This illustrates the tradeoff in terms of having to raise the chance of a false alarm in order to raise 
the probability or reliability of the fleet leaders in sounding a true alarm, or in other words, the sensitivity 
of the fleet leaders to uncovering a serious design or material issue. One further observation is that, if the 
false alarm probability must be preserved at a low level, then the true alarm sensitivity must be increased 
by increasing the number of fleet leaders, Nfl. 

An interesting aspect of this result is that a different set of damage parameters will give a somewhat 
different result with respect to a true alarm. For instance we consider the parameter set 

Pd = 18, t T ef,D = 0.90 hr, Pd = 2.22, ct D =40 (31) 

Then we calculate Pf D = 0.00108 or R D = 0.9989 and the probability of a true alarm is P tmc alarm = 0.99998. 
Here we could lower the probability of a false alarm to P fa j SC a iarm = 0.005 = 1/200 and a quick calculation 
shows that failure of a true alarm is about the same at 1-Pmie alarm = 1/224. These two values are more 
desirable than the values in the previous, even though the number of service and fleet leader vessels is the 
same. 

One important role of fleet leaders is to give an early warning that the reliability of flight vessels to 
the end of the design life may be inadequate. In the example just considered we can calculate the 
probability of failure of a service vessel versus time for the design parameters and degraded parameters, 
and also do the same for the fleet leaders. We therefore plot 


true alarm 


= l-exp<| -N 


fl\ 


H 




V*ref 4 ) 


Pd 
P d 


~|P D 

\J r 


\a D /a d 


£ ref,<i 


false alarm 


V‘ref ,D 


N 


fl 


F a4 (f;S op ) = l- exp{ -4(0.4299) 40 ( t/1 ,3) 167 } 

(32) 

F 4D (t ; S op ) = 1 - expj -4(0.4299) 40 (f/0.90) 222 } 

(33) 

Ei M (t;^) = l- expj-10(0.5290) 4 ° (t/1 ,3) 167 } 

(34) 

Fnj> ) = 1 ■ - exp{-10(0.5290) 4 ° (t/0.90) 222 } 

(35) 


Figure 1 shows the results. 
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Weibull Probability Plot 



Figure 1 . — Operating curves for a Kevlar COPV Fleet Leader Program to 
guard against possible design/manufacturing flaws and poor material 
quality. 


One sees in Figure 1 that a Fleet leader vessel would become likely to fail and ‘sound the alarm’ 
(reach 0.5 probability of failure) by 3 years, but at one year it is only about one-in-twenty. However, the 
probability of failure of a service vessel is very low by then. Once again if the advance warning (3 years) 
is deemed not good enough, then one must consider raising the number of fleet leaders so that warning 
can be had sooner. 


Case 2: Carbon/Epoxy Fleet Leaders 

Carbon composite overwrapped pressure vessels are currently more popular and fast replacing the 
existing Kevlar vessels. They are deemed to have a far superior stress rupture life performance compared 
to their Kevlar counterparts. As before, suppose we have four carbon fiber/epoxy overwrapped vessels 
instead of Kevlar vessels that are put into service and must have a design life of 10 years, i.e., 
t d = 87,600 hr at a reliability level of R d = 0.999999 (six nines) or probability of failure Pf d = 0.000001 . 

We also assume the critical reliability for corrective action due to damage to be 0.999 or the probability of 

failure, P/ iD = 0.001 . This means that 0^ =1/2 since P f D = JPfj . We assume the design parameters 

are 


Pd ~ 1^0, t ie f d — 1.0 hr, $ d — 0.25, a. d — $ d p d — 30 


Then the lifetime distribution Equation (1) becomes 


F 4 (t; S op ) = 1 - expi-4[(S 0/ , )' 2 ° (t/l .0)^ 
*4(sJ\t/L0r, t>0 


(36) 


( 37 ) 


The fiber stress ratio for this case is 
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*v = 




\'/ a <i ^ \l/30 

0.000001 


Nopfcd/trefyd) 


4(87600)' 


0.25 


= 0.5480 


J 


(38) 


Suppose we then place Njj = 1 0 fleet leaders on test and choose /\i sc ala™ = 0.01 that at least one of the 
10 fleet leaders fails simply due to the original design being correct. The required stress ratio is 


3 fl 


r . . \V a * 

— ln(l ~ ^false alarm ) 


Njl(td/ { Tef,d) 


0.01005 


n1/30 


10(87600)' 


0.25 


: 0.7226 


(39) 


In order for the fleet leader program to be useful, however, it must be capable of detecting a problem 
with the design/fabrication or material quality of the service vessel whereby the actual parameter values 
are degraded relative to those assumed in the design. For instance, we suppose that a key manufacturing 
process in the fiber or overwrap was mishandled, and the parameter values are instead 

P d = 80, t Te f D = 1 .0 hr, P 0 =0.225, ct 0 = 1 8 (40) 


and again N op = 4. Then we calculate 


Pf,D« 4 


"87600 




80 


-i0.225 


120 


1.0 J 
= 0.00103 


f i N 


VM 


" 0.000001 

< 4 J 


\1 8/30 


(41) 


or reliability R D = 0.9989 for the service vessels governed by the degraded parameters, Equation (40). For 
the fleet leaders also with the degraded parameter set, we calculate 


(42) 

= 0.3097 

Viewed another way, the probability a fleet leader fails to sound a true alarm when it should is 1-0.3097 
= 0.6903, which is far too high. To improve the probability of a true alarm then one must raise the 
probability of a false alarm. For instance if the fleet leader stress ratios is raised to Sji = 0.789 then we 
obtain P fa i se a)ami = 0. 143 = 1/7 and TVe alarm = 0.841 but this implies a probability of failing to sound a true 
alarm of 1-0.841 = 0.159«l/6 which while a significant increase, is still not satisfactory. 

As in the previous example, we can calculate the probability of failure of a service vessel versus time 
for the design parameters and degraded parameters, and also do the same for the fleet leaders. Thus in 
Figure 2 we plot 


alarm =1 -exp} -AT 


fl 


l 






J 


Pd 


*ref ,d 


^ef >D J 






r false alarm 


N 


fl 


Faa [t’Sop ) = 1 - exp{-4(0.548) 30 (t)°- 25 } 


(43) 
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(44) 


F ad (f; S op ) = 1 - exp{ -4(0.548) 18 (f) 0 ' 225 } 

F 1M (f„ S fl ) = 1 - exp{ -10(0.789) 30 (f) 0 ' 25 } (45) 

F w , d (t;Sj,) = 1 - exp{ -10(0.789) 18 (f) 0 ' 225 } (46) 


Clearly evident in Figure 2 are the high probabilities of both a false alarm and failure to sound a true 
alarm. 

Case 3: Design of Fleet Leaders for T1000G Fiber COPVs for Constellation Program. 

In this example we consider a hypothetical fleet leader program design for Constellation Program. Let 
us say the typical vehicle is to carry 20 COPVs at a burst factor (design burst pressure/maximum 
operating pressure) of about 2.0. This translates approximately to a stress ratio of 50 percent. The 
properties used are for a typical T1000G fiber overwrap. The parameters chosen for the model are pj = 

72, = 0.001 hr, (3j = 0.35. These are expected values of parameters for a flight size T1000G 

overwrapped pressure vessel based on very limited data that is available in literature. The model 
parameters chosen to represent pressure vessels with potential errors in design, materials quality control 
or manufacturing are p D = 50, t re f^ D = 0.001 hr, (3 D = 0.20. The reduced parameters would lead to a much 
lower reliability than acceptable levels by the strict program requirements. Number of fleet leaders 
needed and the operating conditions for the fleet leaders are considered as design parameters and are 
estimated based on the models developed in the current work. 


Weibull Probability Plot 



0.1 1 10 100 1,000 10,000 100,000 1 , 000,000 

Lifetime, hours 

Figure 2. — Operating curves for a carbon COPV Fleet Leader Program 
to guard against possible design/manufacturing flaws and poor material 
quality. 
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Figure 3. — Fleet leader design space for carbon Composite Overwrapped Pressure Vessels. 

A family set of 1 0, 20, . . . . , 80 fleet leaders are considered to arrive at the desired settings for the 
“false alarm” and “true alarm” as described below. The results are plotted in Figure 3. The horizontal axis 
in the figure represents a ‘false alarm’, meaning the chance of a fleet leader failure due to natural 
anticipated causes by the model. Both “failure to sound a true alarm” and “stress ratio” are plotted on the 
vertical axis. Here “failure to sound a true alarm” means that despite high risk from processing errors the 
fleet leaders have not sounded the alarm. As shown in the figure, under the assumed operating conditions 
(stress ratio = 50 percent) and design life of 1 year (8760 hr) of continuous operation, the probability of 
one of the 20 flight vessels failing due to degraded parameters of the model (to represent deficient or 
damaged vessels during manufacturing) is about 0.16. Also plotted in the same figure are the fleet leader 
stress ratios as a function of “false alarm”. For a “false alarm” setting of 0.02 (chance of natural fleet 
leader failure), it can be seen from the figure that we need at least 20 or more vessels in the fleet leader 
program to make sure that a true alarm sounds with 95 percent certainty. The stress ratios needed for the 
fleet leaders in order to keep the false alarm setting at 0.02 is around 60 percent which is significantly 
higher than the operating stress ratios in the fleet. False alarms cause costly program and schedule 
disruptions. In order to minimize such disruptions it is always desirable to reduce this setting to a lower 
value. For example, if we set false alarm to 0.01 (which corresponds to about 0.55 percent stress ratio) 
then from the figure we can see that the number of fleet leaders have to be increased to 25 or more so that 
the failure to sound a true alarm is less than 5 percent. The costs of schedule disruptions must be carefully 
weighed against the cost of keeping more fleet leaders in the program to set the optimum settings for the 
false alarm. The present methodology provides the necessary mathematical framework to perform such 
trade studies before setting up a fleet leader program. 

Fleet Leader Issues: Carbon vs. Kevlar 

Based upon the above results for the three different cases for Kevlar and carbon COP Vs we can 
summarize the following critical issues for setting up fleet leader programs. 

(1) One difficulty in the case of carbon COPVs is that the probabilities do not change very rapidly 
with time. The probabilities of a false alarm or true alarm are both high in the first few hours but the 
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growth rate rapidly slows. This is because the Weibull lifetime shape parameter values are very low (P<* = 
0.25 and p D = 0.225), and thus, there is a strongly decreasing hazard rate with time. The case with Kevlar 
COPVs was very different. In that case (P^ = 1 .67 and p D = 2.5) so the hazard rate was strongly 
increasing. 

(2) Another difficulty is the major difference in sensitivity in the two cases with respect to false 
alarms and true alarms. In the two Kevlar COPV cases, the probabilities of either giving a false alarm or 
failing to sound a true alarm were both no more than 1/67 in the first example and about 1/200 in the 
second example. In the carbon COPV case these probabilities were both much higher at about 1/7. For 
carbon COPVs, this lack of discriminating ability lowers the usefulness of the fleet leaders. Unfortunately 
the scenario cited is typical of what is seen in carbon/epoxy strand data where p values and a values can 
vary widely among data sets and between vessels and strands for the same fiber. Changes of fiber or 
matrix lead to large changes in model parameters. 

(3) In the case of carbon COPVs, the stress ratios in the fleet leaders must be very high in order to 
obtain reasonably balanced sensitivities for false and true alarms when both operate in the same real time. 
In the above example, although a moderate design stress ratio, S op = 0.548, is applied to the service 
vessels, the fleet leader stress ratio, Sjj = 0.7226, despite being much higher, was poor at sounding a true 
alarm, when the vessel parameters reflected serious degradation or damage. The fiber stress ratio had to 
be raised to Sfl = 0.789 to balance the sensitivities to avoiding false alarms and sounding true alarms. 

(4) Difficulties arise also when the fleet leaders are not truly identical to the service vessels and there 
is uncertainty in exactly what the differences are. For instance in the carbon COPV case the fiber tress 
ratio that was needed, S/i = 0.789, is actually well above most proof test levels, typically 0.65 to 0.75. 
While we have not considered proof testing in the above examples, the circumstances of the fleet leaders 
and service vessels are immediately very different since ‘de facto’ they have different proof levels. 
Unfortunately, proof testing by itself can introduce damage in terms of broken strands especially when 
above 0.70. This becomes a critical parameter in the case of the fiber breakage reliability model (Refs. 2 
and 13), which is more appropriate for carbon COPVs. Thus the relationship between the fleet leaders and 
service vessels becomes more uncertain, which adds to the difficulty of evaluating sensitivities in terms of 
true and false alarms. 

(5) Finally, pure fleet leaders — i.e., vessels that are identical to service vessels in design, load and 
environment except service vessels accumulate time at risk much more slowly — require less 
sophistication in terms of a model than do fleet leaders that employ some form of acceleration. Despite 
the longstanding scientific basis for pressure and temperature acceleration, particularly the latter using 
Arrhenius laws, skepticism of engineers lacking sufficient foundation in probability and statistics as well 
as the stress-rupture phenomenon itself can cloud proper interpretation of true alarm versus false alarm 
sensitivities, when failures occur. If the underlying basis of these sensitivities is poorly understood, and 
the number of fleet leader vessels insufficient, then the benefit of a fleet leader program is open to serious 
question. The danger is that the observations over time — whether fleet leader failures occur or not — are 
likely to be incorrectly interpreted and may be rationalized or even manipulated in decision making. The 
risk is that truly degraded service vessels will end up being kept in service. 

Conclusions 

Stress rupture of composite overwraps can cause catastrophic consequences leading to loss of crew 
and spacecraft and hence the reliability of these vessels during the entire duration of a space program 
must be carefully examined and assessed. The present paper illustrates, via a classic stress rupture lifetime 
model (Refs. 1 and 6 to 10), how one can statistically design a “fleet leader” program, including fiber 
stress ratios and numbers of test vessels, as a risk mitigation step to supplement the original reliability 
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calculations by analysis only, but with parameter values estimated using an available data base of similar 
material systems. Furthermore, the considerable complications arising in the case of carbon COPVs, due 
to widely differing model parameters for carbon versus Kevlar vessels, have been illustrated via specific 
examples. 
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